How to use boto3 on EC2 instance without local configuration?

Question

My goal is to be able to run Python program using boto3 to access DynamoDB without any local configuration. I've been following this AWS document https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html) and it seems to be feasible using the 'IAM role' option https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html#iam-role. This means I don't have anything configured locally.

However, as I attached a role with DynamoDB access permission to the EC2 instance the Python program is running and ran boto3.resources('dynamodb') I kept getting the following error:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/ubuntu/.local/lib/python3.6/site-packages/boto3/__init__.py", line 100, in resource
    return _get_default_session().resource(*args, **kwargs)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/boto3/session.py", line 389, in resource
    aws_session_token=aws_session_token, config=config)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/boto3/session.py", line 263, in client
    aws_session_token=aws_session_token, config=config)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/botocore/session.py", line 839, in create_client
    client_config=config, api_version=api_version)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/botocore/client.py", line 86, in create_client
    verify, credentials, scoped_config, client_config, endpoint_bridge)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/botocore/client.py", line 328, in _get_client_args
    verify, credentials, scoped_config, client_config, endpoint_bridge)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/botocore/args.py", line 47, in get_client_args
    endpoint_url, is_secure, scoped_config)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/botocore/args.py", line 117, in compute_client_args
    service_name, region_name, endpoint_url, is_secure)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/botocore/client.py", line 402, in resolve
    service_name, region_name)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/botocore/regions.py", line 122, in construct_endpoint
    partition, service_name, region_name)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/botocore/regions.py", line 135, in _endpoint_for_partition
    raise NoRegionError()
botocore.exceptions.NoRegionError: You must specify a region.

I've searched the internet and it seems most of the solutions pointing to have local configuration (e.g. ~/.aws/config, boto3 config file, etc.).

Also, I have verified that from EC2 instance, I am able to get the region from instance metadata:

$ curl --silent http://169.254.169.254/latest/dynamic/instance-identity/document
{
    ...
  "region" : "us-east-2",
    ...
}

My workaround right now is to provide an environment variable AWS_DEFAULT_REGION passing via Docker command line.

Here is the simple code I have to replicate the issue:

>>>import boto3
>>>dynamodb = boto3.resource('dynamodb')

I expect somehow boto3 is able to pick up the region that is already available in the EC2 instance.

Answer 1

There are two types of configuration data in boto3: credentials and non-credentials (including region). How boto3 reads them differs.

See:

• Configuring Credentials
• https://github.com/boto/boto3/issues/375

Specifically, boto3 retrieves credentials from the instance metadata service but not other configuration items (such as region).

So, you need to indicate which region you want. You can retrieve the current region from metadata and use it, if appropriate. Or use the environment variable AWS_DEFAULT_REGION.

Answer 2

You can pass region as a parameter to any boto3 resource.

dynamodb = boto3.resource('dynamodb', region_name='us-east-2')